As a part of my final year project, i plan to develop a customized qr code encoder/decoder which would generate Encrypted QR Codes. Not having much knowledge in encryption i just wanted to know if any algorithm like RC4 can be implemented on a mobile device given the resource constraints. Also if not on mobile device, would it be possible to develop a qr reader/generator for pc ? If yes, any info on any libraries that can be used ?
Just to be clear, by encrypted i mean, original message-->encryption-->encrypted message-->generate QR Code for encrypted message-->encrypted qr code
Receiver side: encrypted qr code-->qr code reader-->encrypted message-->decryption-->original message.
Is a smartphone powerful enough to run RC4 over a few hundred bytes of data? By many orders of magnitude, yes. Think about how much processing it takes to support the HTTPS connection you probably just used on a mobile web site. Or, consider that decoding a QR code already requires Reed-Solomon decoding over the same data, which is about as complex. Even 100K operations is next to nothing on a 1GHz chip.
Related
I'm fairly new to BLE and am exploring the security of advertising packets. I was hoping to find some recommendations for resources/general advice on how should learn/implement lightweight encryptions for advertising packets. The data I would work with isn't highly sensitive and after looking into it I'm leaning towards using an ECB and two TI Launchpads to develop with.
For your own private project it might be suitable to use symmetric encryption such as AES. You would need one key on all devices to en- and decrypt your messages.
Depending on your choice of language there are small libraries like tiny-AES availible. Larger collection of cryptographic tools like mbedtls or cryptopp exist but might be overkill for your purpose.
Also take a look at the tools provided by TI, there might be some libraries included in your SDK.
I'm a young professional who's into embedded design, IT networking, control/monitoring systems and much more. Currently, I'm developing a monitoring system using a device from Tibbo Techonology, their DS1102.
http://tibbo.com/products/controllers/ds110x/ds1102
It's a programmable device that covers serial and ethernet communications. For my project, its main tasks are serial data collection and database population. Serial communication is done through RS485 and database used is MySQL 5.5. My database is hosted on a public IP which also runs a webserver for the interface while my device is behind a NAT. It connects to the database directly using the public IP.
I'd like to ask for advices so that I can enhance and upgrade it. Right now these are the
questions I'd like to ask.
Which is better? Having the server on a public IP or using port forwarding?
I'm also using it as webserver for the interface of my monitoring system.
To communicate with the device (rebooting, changing IP etc), I wrote an application in
python using UDP (using port 65535 of device) and also set the device to communicate with the application for specific commands. My concern is I want to encrypt the communication between my python app and the device both ways. The only available function for both encrypting and decrypting on the DS1102 is RC4. What are your thoughts on using RC4 for this application? Also, I'm planning to do port forwarding on port 65535 so that I can use my python app from the outside. Can RC4 be reliable for this too? I really want to learn how to use encryptions properly.
I'm also planning to implement SMTP for alert messages. Tibbo has a sample code from which I based mine. Problem is, it's on AUTH PLAIN LOGIN. I think I want to turn it to STARTTLS later. Can you recommend some lessons on the algorithm of STARTTLS?
What are those details on MAIL FROM:<> and RCPT TO:<>? Because on using the command
DATA, the programmer can write anyway From: and To: which can make his identity someone else.
That's it for now. Suggestions are very welcome.
You can also share some good reading materials and links. I'm always hungry for learning. :)
Thanks for your time.
2.
Encryption substitutes the confidentiality of an arbitrary amount of data (the plaintext) with the confidentiality of a small amount data (the key). In other words, your communication is only as confidential as the key – if the shared secret key leaks out, the encryption is worthless. More on this.
Also note that plain RC4 provides no authenticity (message integrity). An adversary can modify messages as much as he wants. He can even send his own messages which will be considered perfectly valid by the cipher. Verifying the validity of the messages is is up to the code that parses the messages.
If your messages are simple (only a few bytes or so), an adversary could simply send random bytes until they decrypt such that they form a valid message, without knowing anything about the key. This happens on average after only 100 attempts for a 1-byte message for example.
You will obviously have to use some sort of a nonce to prevent trivial replay attacks.
RC4 is also rather quirky per se. I guess you are already aware of the numerous "drop-n" variants and so on.
In short, protocol design is perilous. Even experts often get it wrong (look at WEP for example). The most straightforward way to solve this would be to find hardware that can handle an existing protocol such as TLS.
I'm working on a project that take the GPS location every 5 seconds and send it to the server, but i need to make a little of security, so i need to encrypt the location in android device and decrypt it in server side, so i'm searching for a simple algorithm to do this
Thanks in advance
The ideas for you to try:
Send your data over HTTPS. It will add the layer of security you need and it's one of the simplest methods available.
Use Java Encryption API with asymmetric cryptographic algorithm like RSA. You should probably avoid using AES or similar symmetric algorithm because you should not store passphrase in your Android app - it could be quite easily compromised.
There is an interesting problem at hand. I have a role-playing MMOG running through a client application (not a browser) which sends the actions of my player to a server which keeps all the players in sync by sending packets back.
Now, the game uses a top layer protocol over TCP/IP to send the data. However, wireshark does not know what protocol is being used and shows everything beyond the TCP header as a dump.
Further, this dump does not have any plain text strings. Although the game has a chat feature, the chat string being sent is not seen in this dump as plain text anywhere.
My task is to reverse engineer the protocol a little to find some very basic stuff about the data contained in the packets.
Does anybody know why is the chat string not visible as plain text and whether it is likely that a standard top level protocol is being used?
Also, are there any tools which can help to get the data from the dump?
If it's encrypted you do have a chance (in fact, you have a 100% chance if you handle it right): the key must reside somewhere on your computer. Just pop open your favorite debugger, watch for a bit (err, a hundred bytes or so I'd hope) of data to come in from a socket, set a watchpoint on that data, and look at the stack traces of things that access it. If you're really lucky, you might even see it get decrypted in place. If not, you'll probably pick up on the fact that they're using a standard encryption algorithm (they'd be fools not to from a theoretical security standpoint) either by looking at stack traces (if you're lucky) or by using one of the IV / S-box profilers out there (avoid the academic ones, most of them don't work without a lot of trouble). Many encryption algorithms use blocks of "standard data" that can be detected (these are the IVs / S-boxes), these are what you look for in the absence of other information. Whatever you find, google it, and try to override their encryption library to dump the data that's being encrypted/decrypted. From these dumps, it should be relatively easy to see what's going on.
REing an encrypted session can be a lot of fun, but it requires skill with your debugger and lots of reading. It can be frustrating but you won't be sorry if you spend the time to learn how to do it :)
Best guess: encryption, or compression.
Even telnet supports compression over the wire, even though the whole protocol is entirely text based (well, very nearly).
You could try running the data stream through some common compression utilities, but I doubt that'd do much for you, since in all likelihood they don't transmit compression headers, there's simply some predefined values enforced.
If it's infact encryption, then you're pretty much screwed (without much, much more effort that I'm not even going to start to get into).
It's most likely either compressed or encrypted.
If it's encrypted you won't have a chance.
If it's compressed you'll have to somehow figure out which parts of the data are compressed, where the compressed parts start and what the compression algorithm is. If your lucky there will be standard headers that you can identify, although they are probably stripped out to save space.
None of this is simple. Reverse engineering is hard. There aren't any standard tools to help you, you'll just have to investigate and try things until you figure it out. My advice would be to ask the developers for a protocol spec and see if they are willing to help support what you are trying to do.
I'm connecting mi cell phone application in J2ME to a web service and I have to send a SHA256 hash to it in order to validate some data received. I also need to be capable to store some information encrypted into the cell phone. I was thinking to use AES (rinjdael) symmetric encryption.
Anyone knows about any code example using AES encryption in J2ME ?
I would advise looking into the open source bouncycastle library.
It has been successfully used for cryptography on J2ME.